mirror of https://github.com/status-im/consul.git
docs: update for k8s support for igw and header manip (#12264)
Add docs now that k8s supports these new config entry fields
This commit is contained in:
parent
246d5e947d
commit
ecc5dae06f
|
@ -600,7 +600,12 @@ spec:
|
|||
protocol: http
|
||||
services:
|
||||
- name: api
|
||||
# HTTP Header manipulation is not supported in Kubernetes CRD
|
||||
requestHeaders:
|
||||
add:
|
||||
x-gateway: us-east-ingress
|
||||
responseHeaders:
|
||||
remove:
|
||||
- x-debug
|
||||
```
|
||||
|
||||
```json
|
||||
|
@ -676,7 +681,12 @@ spec:
|
|||
services:
|
||||
- name: api
|
||||
namespace: frontend
|
||||
# HTTP Header manipulation is not supported in Kubernetes CRD
|
||||
requestHeaders:
|
||||
add:
|
||||
x-gateway: us-east-ingress
|
||||
responseHeaders:
|
||||
remove:
|
||||
- x-debug
|
||||
```
|
||||
|
||||
```json
|
||||
|
@ -981,21 +991,25 @@ You can specify the following parameters to configure ingress gateway configurat
|
|||
},
|
||||
{
|
||||
name: 'TLSMinVersion',
|
||||
yaml: false,
|
||||
type: 'string: ""',
|
||||
description: "Set the default minimum TLS version supported for the gateway's listeners. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer [will default to TLS 1.2 as a min version](https://github.com/envoyproxy/envoy/pull/19330), while older releases of Envoy default to TLS 1.0.",
|
||||
description:
|
||||
"Set the default minimum TLS version supported for the gateway's listeners. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer [will default to TLS 1.2 as a min version](https://github.com/envoyproxy/envoy/pull/19330), while older releases of Envoy default to TLS 1.0.",
|
||||
},
|
||||
{
|
||||
name: 'TLSMaxVersion',
|
||||
yaml: false,
|
||||
type: 'string: ""',
|
||||
description: {
|
||||
hcl:
|
||||
"Set the default maximum TLS version supported for the gateway's listeners. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`." ,
|
||||
"Set the default maximum TLS version supported for the gateway's listeners. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.",
|
||||
yaml:
|
||||
"Set the default maximum TLS version supported for the gateway's listeners. Must be greater than or equal to `tls_min_version`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`." ,
|
||||
"Set the default maximum TLS version supported for the gateway's listeners. Must be greater than or equal to `tls_min_version`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: 'CipherSuites',
|
||||
yaml: false,
|
||||
type: 'array<string>: <optional>',
|
||||
description: `Set the default list of TLS cipher suites for the gateway's
|
||||
listeners to support when negotiating connections using
|
||||
|
@ -1007,11 +1021,10 @@ You can specify the following parameters to configure ingress gateway configurat
|
|||
releases of Envoy may remove currently-supported but
|
||||
insecure cipher suites, and future releases of Consul
|
||||
may add new supported cipher suites if any are added to
|
||||
Envoy.`
|
||||
Envoy.`,
|
||||
},
|
||||
{
|
||||
name: 'SDS',
|
||||
yaml: false,
|
||||
type: 'SDSConfig: <optional>',
|
||||
description:
|
||||
'Defines a set of parameters that configures the gateway to load TLS certificates from an external SDS service. See [SDS](/docs/connect/gateways/ingress-gateway#sds) for more details on usage.<br><br>SDS properties defined in this field are used as defaults for all listeners on the gateway.',
|
||||
|
@ -1105,7 +1118,6 @@ You can specify the following parameters to configure ingress gateway configurat
|
|||
\`*-suffix.example.com\` are not.`,
|
||||
},
|
||||
{
|
||||
yaml: false,
|
||||
name: 'RequestHeaders',
|
||||
type: 'HTTPHeaderModifiers: <optional>',
|
||||
description: `A set of [HTTP-specific header modification rules](/docs/connect/config-entries/service-router#httpheadermodifiers)
|
||||
|
@ -1113,7 +1125,6 @@ You can specify the following parameters to configure ingress gateway configurat
|
|||
This cannot be used with a \`tcp\` listener.`,
|
||||
},
|
||||
{
|
||||
yaml: false,
|
||||
name: 'ResponseHeaders',
|
||||
type: 'HTTPHeaderModifiers: <optional>',
|
||||
description: `A set of [HTTP-specific header modification rules](/docs/connect/config-entries/service-router#httpheadermodifiers)
|
||||
|
@ -1122,7 +1133,6 @@ You can specify the following parameters to configure ingress gateway configurat
|
|||
},
|
||||
{
|
||||
name: 'TLS',
|
||||
yaml: false,
|
||||
type: 'ServiceTLSConfig: <optional>',
|
||||
description: 'TLS configuration for this service.',
|
||||
children: [
|
||||
|
@ -1154,7 +1164,6 @@ You can specify the following parameters to configure ingress gateway configurat
|
|||
},
|
||||
{
|
||||
name: 'TLS',
|
||||
yaml: false,
|
||||
type: 'TLSConfig: <optional>',
|
||||
description: 'TLS configuration for this listener.',
|
||||
children: [
|
||||
|
@ -1165,26 +1174,26 @@ You can specify the following parameters to configure ingress gateway configurat
|
|||
hcl:
|
||||
"Set this configuration to `true` to enable built-in TLS for this listener.<br><br>If TLS is enabled, then each host defined in each service's `Hosts` field will be added as a DNSSAN to the gateway's x509 certificate. Note that even hosts from other listeners with TLS disabled will be added. TLS can not be disabled for individual listeners if it is enabled on the gateway.",
|
||||
yaml:
|
||||
"Set this configuration to `true` to enable built-in TLS for this listener.<br><br>If TLS is enabled, then each host defined in the `hosts` field will be added as a DNSSAN to the gateway's x509 certificate. Note that even hosts from other listeners with TLS disabled will be added. TLS can not be disabled for individual listeners if it is enabled on the gateway.",
|
||||
"Set this configuration to `true` to enable built-in TLS for this listener.<br><br>If TLS is enabled, then each host defined in each service's `hosts` field will be added as a DNSSAN to the gateway's x509 certificate. Note that even hosts from other listeners with TLS disabled will be added. TLS can not be disabled for individual listeners if it is enabled on the gateway.",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: 'TLSMinVersion',
|
||||
yaml: false,
|
||||
type: 'string: ""',
|
||||
description: "Set the minimum TLS version supported for this listener. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer [will default to TLS 1.2 as a min version](https://github.com/envoyproxy/envoy/pull/19330), while older releases of Envoy default to TLS 1.0.",
|
||||
description:
|
||||
'Set the minimum TLS version supported for this listener. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer [will default to TLS 1.2 as a min version](https://github.com/envoyproxy/envoy/pull/19330), while older releases of Envoy default to TLS 1.0.',
|
||||
},
|
||||
{
|
||||
name: 'TLSMaxVersion',
|
||||
yaml: false,
|
||||
type: 'string: ""',
|
||||
description: {
|
||||
hcl:
|
||||
"Set the maximum TLS version supported for this listener. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`." ,
|
||||
yaml:
|
||||
"Set the maximum TLS version supported for this listener. Must be greater than or equal to `tls_min_version`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`." ,
|
||||
},
|
||||
description:
|
||||
'Set the maximum TLS version supported for this listener. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`.',
|
||||
},
|
||||
{
|
||||
name: 'CipherSuites',
|
||||
yaml: false,
|
||||
type: 'array<string>: <optional>',
|
||||
description: `Set the list of TLS cipher suites to support when negotiating
|
||||
connections using TLS 1.2 or earlier. If unspecified,
|
||||
|
@ -1195,7 +1204,7 @@ You can specify the following parameters to configure ingress gateway configurat
|
|||
and is dependent on underlying support in Envoy. Future
|
||||
releases of Envoy may remove currently-supported but
|
||||
insecure cipher suites, and future releases of Consul
|
||||
may add new supported cipher suites if any are added to Envoy.`
|
||||
may add new supported cipher suites if any are added to Envoy.`,
|
||||
},
|
||||
{
|
||||
name: 'SDS',
|
||||
|
|
|
@ -36,10 +36,9 @@ service of the same name.
|
|||
to any configured
|
||||
[`service-resolver`](/docs/connect/config-entries/service-resolver).
|
||||
|
||||
## UI
|
||||
## UI
|
||||
|
||||
|
||||
Once a `service-router` is successfully entered, you can view it in the UI. Service routers, service splitters, and service resolvers can all be viewed by clicking on your service then switching to the *routing* tab.
|
||||
Once a `service-router` is successfully entered, you can view it in the UI. Service routers, service splitters, and service resolvers can all be viewed by clicking on your service then switching to the _routing_ tab.
|
||||
|
||||
![screenshot of service router in the UI](/img/l7-routing/Router.png)
|
||||
|
||||
|
@ -309,14 +308,16 @@ spec:
|
|||
name: 'Namespace',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description: 'Specifies the namespace to which the configuration entry will apply.',
|
||||
description:
|
||||
'Specifies the namespace to which the configuration entry will apply.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description: 'Specifies the admin partition to which the configuration will apply.',
|
||||
description:
|
||||
'Specifies the admin partition to which the configuration will apply.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
|
@ -596,7 +597,6 @@ spec:
|
|||
'A list of HTTP response status codes that are eligible for retry.',
|
||||
},
|
||||
{
|
||||
yaml: false,
|
||||
name: 'RequestHeaders',
|
||||
type: 'HTTPHeaderModifiers: <optional>',
|
||||
description: `A set of [HTTP-specific header modification rules](/docs/connect/config-entries/service-router#httpheadermodifiers)
|
||||
|
@ -604,7 +604,6 @@ spec:
|
|||
This cannot be used with a \`tcp\` listener.`,
|
||||
},
|
||||
{
|
||||
yaml: false,
|
||||
name: 'ResponseHeaders',
|
||||
type: 'HTTPHeaderModifiers: <optional>',
|
||||
description: `A set of [HTTP-specific header modification rules](/docs/connect/config-entries/service-router#httpheadermodifiers)
|
||||
|
@ -614,21 +613,12 @@ spec:
|
|||
]}
|
||||
/>
|
||||
|
||||
|
||||
### `HTTPHeaderModifiers`
|
||||
|
||||
<ConfigEntryReference
|
||||
topLevel={false}
|
||||
yaml={false}
|
||||
keys={[
|
||||
{
|
||||
hcl: false,
|
||||
name: 'Unsupported',
|
||||
type: '',
|
||||
description: `HTTP Header modification is not yet supported in our Kubernetes CRDs.`,
|
||||
},
|
||||
{
|
||||
yaml: false,
|
||||
name: 'Add',
|
||||
type: 'map<string|string>: optional',
|
||||
description: `The set of key/value pairs that specify header values to add.
|
||||
|
@ -641,7 +631,6 @@ spec:
|
|||
metadata into the value added.`,
|
||||
},
|
||||
{
|
||||
yaml: false,
|
||||
name: 'Set',
|
||||
type: 'map<string|string>: optional',
|
||||
description: `The set of key/value pairs that specify header values to add.
|
||||
|
@ -654,7 +643,6 @@ spec:
|
|||
metadata into the value added.`,
|
||||
},
|
||||
{
|
||||
yaml: false,
|
||||
name: 'Remove',
|
||||
type: 'array<string>: optional',
|
||||
description: `The set of header names to remove. Only headers
|
||||
|
|
|
@ -39,9 +39,9 @@ resolution stage.
|
|||
to any configured
|
||||
[`service-resolver`](/docs/connect/config-entries/service-resolver).
|
||||
|
||||
## UI
|
||||
## UI
|
||||
|
||||
Once a `service-splitter` is successfully entered, you can view it in the UI. Service routers, service splitters, and service resolvers can all be viewed by clicking on your service then switching to the *routing* tab.
|
||||
Once a `service-splitter` is successfully entered, you can view it in the UI. Service routers, service splitters, and service resolvers can all be viewed by clicking on your service then switching to the _routing_ tab.
|
||||
|
||||
![screenshot of service splitter in the UI](/img/l7-routing/Splitter.png)
|
||||
|
||||
|
@ -152,13 +152,12 @@ spec:
|
|||
|
||||
</CodeTabs>
|
||||
|
||||
|
||||
### Set HTTP Headers
|
||||
|
||||
Split traffic between two subsets with extra headers added so clients can tell
|
||||
which version (not yet supported in Kubernetes CRD):
|
||||
which version:
|
||||
|
||||
<CodeTabs tabs={[ "HCL", "JSON" ]}>
|
||||
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
||||
|
||||
```hcl
|
||||
Kind = "service-splitter"
|
||||
|
@ -185,6 +184,25 @@ Splits = [
|
|||
]
|
||||
```
|
||||
|
||||
```yaml
|
||||
apiVersion: consul.hashicorp.com/v1alpha1
|
||||
kind: ServiceSplitter
|
||||
metadata:
|
||||
name: web
|
||||
spec:
|
||||
splits:
|
||||
- weight: 90
|
||||
serviceSubset: v1
|
||||
responseHeaders:
|
||||
set:
|
||||
x-web-version: v1
|
||||
- weight: 10
|
||||
serviceSubset: v2
|
||||
responseHeaders:
|
||||
set:
|
||||
x-web-version: v2
|
||||
```
|
||||
|
||||
```json
|
||||
{
|
||||
"Kind": "service-splitter",
|
||||
|
@ -240,14 +258,16 @@ Splits = [
|
|||
name: 'Namespace',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description: 'Specifies the namespace to which the configuration entry will apply.',
|
||||
description:
|
||||
'Specifies the namespace to which the configuration entry will apply.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description: 'Specifies the admin partition to which the configuration entry will apply.',
|
||||
description:
|
||||
'Specifies the admin partition to which the configuration entry will apply.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
|
@ -314,7 +334,6 @@ Splits = [
|
|||
'The admin partition to resolve the service from instead of the current partition. If empty, the current partition is used.',
|
||||
},
|
||||
{
|
||||
yaml: false,
|
||||
name: 'RequestHeaders',
|
||||
type: 'HTTPHeaderModifiers: <optional>',
|
||||
description: `A set of [HTTP-specific header modification rules](/docs/connect/config-entries/service-router#httpheadermodifiers)
|
||||
|
@ -322,7 +341,6 @@ Splits = [
|
|||
This cannot be used with a \`tcp\` listener.`,
|
||||
},
|
||||
{
|
||||
yaml: false,
|
||||
name: 'ResponseHeaders',
|
||||
type: 'HTTPHeaderModifiers: <optional>',
|
||||
description: `A set of [HTTP-specific header modification rules](/docs/connect/config-entries/service-router#httpheadermodifiers)
|
||||
|
|
Loading…
Reference in New Issue